I gotta go along with everybody who questions whether you are really at risk using WEP. If you check available networks, there are probably several in your neighborhood that have no security at all. Why would somebody go to the effort to crack your chastity belt, when there are others nearby with wide open beavers? Plus, turning off SSID broadcast is a good idea as well. I think your concern is misplaced.
Put it on a surge protector, then. Bricker jr can remember to turn off the glowing rocker switch when he’s done easier than unplugging a cable. And if not, you’ll notice it.
You know, as someone who used to work in Nintendo’s call center no more than a year and a half ago, and still have many friends there, I resent these comments. They’re trained well, but they’re (most often) not network specialists; they’re merely providing you with the information that they have available.
Also, I find your stringent concern over your network to be a bit…unnecessary. As others have alluded to, the odds of someone trying to hack your connection are pretty much nil. And even if they do, so what?
I’m sitting in my bedrrom on my laptop right now. I can see six WiFi signals from here.
When we first moved in after the renovation, I had WEP running (had to support an older laptop), and someone in the immediate neighborhood glommed onto my signal and started downloading crap.
So, yes, the risk in this location is not theoretical. And non-broadcasting SSID is not remotely secure. Kismet or Netstumbler will extract the SSID from captured packets – in other words, if you have the tools to crack WEP, the lack of a broadcast SSID is not the slightest additional impediment.
No, I don’t agree with you. Even if the first response was a product of a reasonably intelligent person who was “trained well” but simply “not a network specialist,” the utterly unresponsive second answer was inexcusable. If the question asked is beyond the scope of knowledge of the support tech, then he or she can escalate the call, or even say “I’m sorry, I don’t know.” I would never have started this thread to complain about that answer.
Well, in my case, the odds aren’t “pretty much nil” since it has happened.
If they do, so what? Well, maybe they’ll download kiddie porn and I’ll get a visit from the FBI; maybe they’ll host a torrent of the new Celine Dion album and I’ll get a lawsuit from the RIAA. Maybe I don’t want those events to happen, and maybe I’ll manage my risk on my own network like a responsible person and not a total fucking tool.
But hey, that hat looks good on you.
Why don’t you run WEP for a while and see if anybody leeches your bandwidth?
Six visiple wiFi signals. Five are WEP. One is WPA. None open.
No, it isn’t.
Asked and answered.
How could I check? I don’t have an easy way of checking traffic.
Look, I already have a Linux box running a web proxy. On Saturday I’m going to add a dual ethernet card and set up Snort in IPS, inline mode. Then I’ll plug in an old SMC WAP that only supports WEP.
Then I’ll write a couple of rules for Snort that drop any packets not destined for Nintendo’s addresses.
I thought there was software that did it. Anyway, I’m a total scrub at this network stuff and your lingo has my head spinning, so I will take my leave and wish you the best.
There is, but you have to have a place to run the software. In other words, the hardware that’s running that software has to be in position physically, topologically, to see the traffic.
My network has a core switch, to which is connected the home’s wired nodes, the wireless access point, and a Linux box with two interfaces: one connected to the internal switch and the other to my cable modem.
That Linux box would be the place to sniff traffic, but I don’t have anything installed on it to do that. I could install something, but the effort to do that would be similar to the effort to install the solution I’m thinking of.
enable wep. Lock out all unkown mac addresses.
a few years ago maybe it was a problem, but when you can go to McDonalds and use THEIR wifi signal to download porn there is no reason to hack a residential one.
How did you know the guy was doing it before?
Not as good as the ass on yours.
How is it that nobody else is asking the relevant question, which is why Nintendo fails to support WPA, given that WEP has been obsolete for years? In The Year Of Our Lord Two Thousand And Eight, that’s as ridiculous as selling a printer that can only be connected to the computer via a parallel cable.
What about a second WAP running WEP in the router’s DMZ. That way your son can connect to the internet from his DS, but anyone connecting to the WEP WAP won’t have access to your network. You could even turn off the WEP WAP when it’s not being used so lessen the security risk even more.
Possibly because the DS was released in 2003 and hasn’t really gone through significant upgrades since that point in time - unless you count a new form factor with the DS Lite. Few people don’t buy a DS because it only supports WEP, adding WPA is a development and production cost that won’t add value to the product at this point in its lifecycle. Seems like the DS is still widely successful and Nintendo is making good business decisions.
Again, too easy to spoof a MAC address. In fact, that’s part of the process for cracking WEP – you generate a fake authentication request by spoofing the MAC address of a connected client to get the header packets that contain the WEP key. And since every single valid client has its MAC address plainly visible in each packet it sends floating through the air, it’s no trick at all to discover a an existing valid MAC address.
I had the cable modem and router up and connected, but no clients connected, and saw flashy light traffic on the router. So I connected to the router and looked at its log of outbound traffic and saw a bunch, with an internal IP address that I don’t use. (It was outside my DHCP scope and not one of the static servers I have, and, anyway, none of my clients were even powered on.)
His traffic was to a eDonkey-type peer-to-peer site. Which must have sucked for him, 'cause no port forwarding, so he would be getting crappy performance. But it was there and it was real.
Thank you. It’s amazing that I post a rant about why DS only supports an encryption standard so insecure it can be broken by a meth-addled retarded monkey, and everyone’s questions are, “Gee, Bricker, are you taking your computer security too seriously?”
My concern isn’t so much my internal network. In fact, I’d say that there’s very little on my network that’s vulnerable to attack, since I stay fully patched and impose reasonably strict security settings via GPO to all my internal Win machines and keep my Linux boxes pretty hardened.
My concern is an attacker using my connection for outbound traffic. Your proposed configuration would still permit that.
Also, I’m not sure what you mean when you say “In your router’s DMZ.” There’s only one internal network. Let’s say I set up a second WAP. Setting up a DMZ on the router typically refers to using NAT port-forwarding to direct all incoming, otherwise unassigned traffic to a particular device. But the device itself is still part of the Layer 2 internal broadcast domain.
In other words, if I set up a second WAP, without physically isolating it, then what would stop it from getting to my internal network?
Personally, I use a combination of MAC filtering and turning down the wireless power so that I can’t sync a laptop outside the faraday cage of my aluminum siding–I think I’d notice if someone were up against my basement window grabbing a signal. =P
Then I felt pretty secure about putting WEP instead of WPA on my home wireless.
Ironically, so my wife can play Animal Crossing.